Resurrecting Pentax firmware hacking
I better start with an introduction as this is my first post. I own a K30 with a load of old manual lenses. I'm also a full time reverse engineer and I'm very interested in rebooting firmware hacking on the Pentax. However I need help and can't do it alone.
I've gone through all the previous posts on Pentax hacking as well as the useful but old Pentax hacking site. Based on this I've seen that the biggest problems for creating a hacked firmware are:
- Need for experienced reverse engineers
- Cost of the required tools such as IDA Pro
- The FP instruction set
Luckily I can help with some of the above. First with experience. I'm a hardware hacker who previously ported CHDK to my Canon Powershot - I've got some experience in hacking firmware on cameras. Next with tooling, for the people who don't know you need an expensive dissasembler called IDA Pro. I have this and the tool that changes assembly into a higher level language - the decompiler. Finally is the instruction set. I've done a lot of work reverse engineering the chip that's inside the K30 and I believe newer models as well. This
I think is a Fujitsu Milbeaut MB91696AM. The great thing about this is that it's based around a Dual core ARM Cortex M4 CPU. This means no horrible FP instruction set! It all ARM and that's what I'm good at.
My progress so far:
- Decrypted the firmware
- Performed a lot of reverse engineering. Large parts found including memory allocation functions, displaying text on screen etc
- Found all the debug processing code
- Found the firmware decryption routines
- Written custom firmware that allows custom code to be run
- Started the PHDK project
Useful links:
PHDK Wiki Paper describing the work so far - very technical PHDK source code
What I need (so far):
- Service manual for a K30 (or even a similar model). This would be really useful in understanding how all the debug functionality actually works
- Datasheet for the MB91696AM or even a very similar ARM based CPU
- Someone to tell me the offsets to icons/text images in the binary. This would rapidly increase the amount of functions I can find!
How you can help:
- I will need testers. Be warned there is a small chance of bricking the camera...
- I need people to help with the disassembly. You'll need a copy of IDA Pro (or maybe notepad - see below).
- Anyone know anyone at Pentax / Ricoh. I'm considering dropping their marketing team an email.
- Don't request features. At the moment there is only one feature - get custom code running on the device.
- Don't request other cameras. I own a K30 and that's what I'm working on.
One of the big things is helping with decompilation of the firmware. It's too big to do alone. Given this I can dump a massive text file with all the functions in C-like code. If anyone has some programming background this might be a good way to help out. Is anyone interested? I still want to play nice with Pentax while i'm requesting their help so I will only PM out the file.
Big issues at present
Icons / text images (fonts)
There are very few strings in the main camera code. All the text is embedded in image data. I suspect that this is as RAW bitmap data directly in the firmware. It would be really useful to get the locations of at least one of these images, then I can find the rest. I'm not quite sure how to find them but The Gimp has an option of opening RAW files and changing the offsets into it. I've had a look but with not much luck.
Give me a few weeks and I hope to be at the point where I can write custom firmware which can then execute a file on the SD card containing additional functionality. I want to perform my code changes inside the debug mode routines, this should mean it's safer as this code is not called by default. At this point some brave soul will need to Flash their camera. Once that works all we will need to do is update the executable on the SD card. Well that's the idea any. Other options are to find a method in the existing debug routines which allow this or alternatively look for an exploit.
Brain dump over.
Last edited by Shodan; 01-20-2015 at 04:00 AM.
Reason: Done some stuff